Handle XSS false positives

This solution configures an AWS WAF rule that inspects commonly explored elements of incoming requests to identify and block XSS attacks. This detection pattern is less effective if your workload allows legitimate users to compose and submit HTML, for example, using a rich text editor in a content management system. In this scenario, consider creating an exception rule that bypasses the default XSS rule for specific URL patterns that accept rich text input, and implement alternate mechanisms to protect those excluded URLs.

Additionally, some image or custom data formats can cause false positives because they contain patterns indicating a potential XSS attack in HTML content. For example, an SVG file might contain a <script> tag. If you expect this type of content from legitimate users, narrowly tailor your XSS rules to allow HTML requests that include these other data formats.

Complete the following steps to update XSS rule to exclude URLs that accept HTML as input. Refer to the Amazon WAF Developer Guide for detailed instructions.

Sign in to the AWS WAF console.
Create a string match or regex condition.
Configure the filter settings to inspect URI and list values that you want to accept against the XSS rule.
Edit this solution’s XSS Rule and add the new condition that you created.

For example, to exclude all URLs in the list, choose the following for When a request :
- does not
- match at least one of the filers in the string match condition
- XSS Allowlist

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Build monitoring dashboard

Troubleshooting